ffang commented on PR #313: URL: https://github.com/apache/ws-wss4j/pull/313#issuecomment-2379717533
Hi @coheigea , I just pushed another commit. I think for now to be able to run on FIPS machine/JDK, we need to introduce org.bouncycastle:bc-fips as an optional dependency, which supports RSA-OAEP padding. So this patch introduces a system propery "fips.enabled", when it is true, we change symEncAlgo from "AES_CBC" to "AES_GCM"(as CBC isn't allowed in FIPS). Also for the JasyptPasswordEncryptor, we change DEFAULT_ALGORITHM from PBEWithMD5AndTripleDES(this isn't allowed in FIPS) to PBEWithHmacSHA512AndAES_256, which requires Random Generator as PKCS11(the default SHA1PRNG isn't allowed in FIPS). Also there are follow up changes in CXF to reflect this change in WSS4J. WDYT? Thanks! Freeman -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org
